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] This invention relates to methods and systems 
tor converting a first key value or a f if st communlcatjons 
system to a secomi key va^ue of a seppnd eommunica- 
tions system. 

[©OdS] FJG. 1 depjets a schemata cJjagram of rlrst and 
seeond wireless communications systams which provfde 
wm\BBS Gommiinteations service to wireless isnits (e.g., 
wireless mM 12a-c) that are situated within the geo- 
graphic rag ions 1 4 and 1 6 , respectively . A Moblle Switch- 
ing Center (e,0. UBOb 2B and 24) is respmsibte for, 
among other things, estaEi:di^ing and ma^taining cajlS: 
between the AVimiesis units, calte between a wireless unit 
and a wireJine unit (e,g. , wmWm unit 25), and/or connec- 
tions bstwean a wireless unit and a packet data net\JVork 
(PQHj, such as the internet. As such, tiie M8C irsteroon- 
nects the wiretess units wrthin jtsgebgraprfric region vvith 
a pi^lte switched tefepf>or5e network (PSTN) 28 and/or 
a. packet data network (PDN) 23, The geographic area 
servicecl by ^e MSC is divided into spatially distinct areas 
called "cells." As depleted in FIG. i , each cell is sche- 
matically represeiiited t>y one hexa^n In a honeycjomb 
jsatt^m; jn pra<?t*oe» however, each ce^l has ah irregul^ 
shape that depends on the tcH^ography of the terraih sar- 
rounding the c^ll 

[00@3] TypieaJJy , each cell contains a base station (e . g. 
base stations 22a-e and 26a-e)» which composes the ra- 
dios as^d antennas that the base statidfi uses locpnimu' 
nicate wtth the wireless units. In ^at ceil. Th^ base sta-^ 
tions also comprtee the transmissloo equipment that the 
base station uses to communicate with the MSG in the 
geographic area. For sxample, ivtSG 2D is conneeted to 
the base stations 223-8 in the geographic area 14, and 
an use 24 is conr^ected to the base stations 26a-e in 
the geographic region 1$, Within a geographic reQiioh, 
the MSC switches calls between base stations in real 
ti^Tie as the wifeless ur^it moves between calls, ref erred 
to as call handoTf. Depending on the embodiment, a base 
station eontroiler (BSC) can be a separate base station 
contmiter (BSO) {not ?5hbwh) conneoted to several tjase 
stations or located at each bass station which adntinis- 
ters the radio resources for the base stations and rejays 
information to the MSG, 

{0004] The MSCs 20 and 24 use a signaling network 
32, such as a signaling network conformtr^g to the stand- 
ard Identified as TlA'Ei A-41 -0 enticed 'C^liuia:r Radia^ 
telecommiihiGations Intersystem C^eratjons,' Decem- 
ber 1997 {"IS-4i which enables the eKcharjge of Infor- 
mation about t^e wireless imits which are roaming within 
the re^>ective geographicaf0as14 and 16. For example, 
a wireiess uniit 1 2a is roaming wher^ the wireiess uriit 12a 
teaves the geographic area 14 of the J^SC 20 to yrf^ich 
It was originally assigned (e.g. home MSC), To ensure 
that a roaming wireless unit can receive a ca^l the mam- 
Ing wireless unit 12a registers with tJeMSC 24 in which 
it presentiy resides (e.g-, the visitor MSG) by notifying 
the visjtor ysc ^214 of its pre^nee. Ohoe a fd^r^ing wire- 



less unit 12a is identified by a visitor MSC 24, the visitor 
^^SC 24 sends a registration request to the home MSC 
20 over the signaling nefwofK 32, andihe home MSC 20 
updates f3L database 34, referred to as the home locaijon 
? reg ister (HLR) , with the iderstif ieatlon of the visitor MSC 
24/lhereby providing tbe lQcafJofs of the foafTJirig wireless 
unit 12a to tt?e home S^ISC 20. 

[CMS] Af1:er a roaming vvireless tinst is authenticated, 
the home MSG 20 provides to the visitor MSC 24 a c?js- 

'•0 torner profile which Ir^dicates thefeatu f es a vatSab^B to the 
roarBing wIretess unit, such as call waiting, caiier id, call 
forwardii^g, three-way calJing, and internalionaj dialing 
access. Upon fecelving the cusfomer profile, the visitor 
MSG 24 updates a daf abase 36, referred to as the visitdr 

'5" location register ( VLR), to provide the same f eatu res as 
the honie MSG 20. The HLR, VLR and/or the authent^ 
cation center (AC) can be co-^cated at the USC or re- 
motely accesseds 

lOQOQ] {f a wireless mil is roaftsing between wireless 

^ comrj^iunications systems using different wireless com- 
munications standards; providing the wireless unit with 
the same features and services in the different wireless 
Gomrrtunicalions systems is complex if even feasible. 
Tl'tere are currently dflferervt wireless communicaUon 

^ standards utilized in the U,S., Europe, and Japan, The 
U,S. ciirrently utilizes two major wireless COrn^rjuriica- 
tions systems with differihg standards. The first system 
is a tsrne division multiple access system (TDiVtA) and is 
governed by ihe standard known a? IS- 1 36, the second 

30 system*saoodedivisionmuitjpl0iacc6SS(CDi^ 

governed by the standard known as lS-95. 8oth commu- 
nicatlon systems use the standard known as 1 for 
intersystem messaging, which defines the authentication : 
procedure. 

{CjO073 In TDIVTA, users share a frequency band, each 
user's speech is stored, compressed and transmftted as 

a quick packet, using conlrolled time slots to distinguish 
them, hence the phrase "time division". At the receiver, 
the packetis decompressed, in the 1S~1 36 prolocoi three 
users Share a given carrier frequency, in contrast> CDMA 
uses a uniqi^a code to "spi^ead" the signai across the 
Wide area of the spectrum (h^nce the alternative name 
- spread spectrum), and the recsiver uses the same code 
to recover tl-^e signal from Ihe noise. A very robust and 
4''> secure channel can be estabiishad, even for an extreme- 
ly low^^x^wer signs^. Fur^er, by using d^ferent c<K^es, a 
number pf diffafent channels cm simultanepusty share 
the same carrier signal without ihterfefing with each oth- 
er. Both CDMA and TDM A systems are defined for a 
Second Generation {2Q) and Third feneration (3G) 
phases with differing requirerrtents for user infpm)atiori 
privac:^ or confidentiality, 

[000^ Europe utilizes the Giobai System for Mobiles 

{QSM) network as defined by the European Telecommu- 
ss nscations Standard Enstitute (ETSi). GSM is a TDMA 
standard, with 8 users per carrier frequency. The speech 
is taken in 20 msec windows, whioh are sampled, proo- 
essed, and compressed, GSiVI is transmitted on a 9Q0 
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jyiH^ carrier. There is an alternative system operating at 
1,SQH2 (DOS 1S00), provjdrsgaddjtjonarcapacity, ahci 
is often viewed as more of a personar comfnunloation 
system {PCS) than a ceiiyiar system. In a similar way, 
the U.S. has ateo implemented DCS-l 800. ano^sr GSM 
system Qperating on the dlffer^^^ 1.9 GHz. Per- 

sartal DigitaJ GeHuter (PDC) is the Japanese stancfarti, 
preyiOLis^y known as JDC {Japanese Digitai Ceflular). 
POC is a TDMA standard similar to the U.S. standard 
known as \S-64 protocol. 

The OSM network utilizes a removable user 
idsjitSjca^n moduie pM) which is a credit card si^e 
c^d Whjteh is dwnedl by a subscriber, who slides the U JM 
into any GSy handset to transform It rntd Iheir" phone. 

wl^j fing when their mlqm phone riumber is dialed, calls 
made will be billed to their account; ail options and sefv- 
\gbs connect: voice mail can be connected and so on. 
PeapJe mf\ difierent UJMs can share one "physical" 
handset, tumirtg iUnto several "virtiiar handsets, one per 
USy. Similar to the U.S. systems, the GS?^ network also 
permits Voamlng", by which different network operatofs 
agree to recognize (and accept) subscribers from other 
wireless camrriiinlqations systems or networks, as vylre^ 
less linits (or OlMs) move. So, British ^tJbscnbers can 
drWe through Prance or Germany and use their GSM 
Wireless unit to make and receive cails (on their sanje 
UK number), wiih as much esse as an Americar^ busi- 
nessman can use a wireless unit m Bpston, yiaml, or 
Seattle; wi^in any one df the U-S. wireless cornmunica- 
tions system The GSM system is defined as a Second 
Generation (20) system, 

[001 Q] The Ihifd generation (3G) enhancement of the 
GSM security scheme is defined in the Universai Mobile 
Telecommunications Service (UMTS) set of standards, 
and specifically for the ssGuriiy in the standard identified 
as 3GPP TS-33, t02 ''Security j^cttitec^twe' specifica- 
tions. This securiry scheme with siight variations will be 
used as a basis »or the vvoridwide common security 
scheme for all 3G communtaiatlpns sysitems, ihcludihg 
UMTS. TDP^A, and COMA. 

[SiOi i 3 The 2Q GSM authani^Mbn schssme is ilUjstf at- 
Gd .si FIG. 2. This authentication scheme indydss a borne 
lacatiOn register (HLR) 40, a visiting location register 
(VLR) 50, and a wireless unit or mobile terminal (MT) 60, 
which includes a UIM 62, When the mobile terrmnai 60 
places a calf, a request Is sent to the home lOGatlon reg- 
ister 40. which generates an autheritiGatipn ve<5?or AV, 
a?sd cafled 'mp^f {RAlNiD, SRES. Hy from a root key 
Th e Iripiet Inc^iides a random number BAf'^jD; a signed 
response S RES, and a session Key K^, Tfie triplet is pro- 
vtded to the visiting vocation register 50, which passes 
the fandom number RAND to the mobile terminal 60; TJie 
UM 62 receives the random number RAMD, and utilising 
the root key K^, the random number RAND, and an algo- 
rithrn .A3, calcuiaies a signed response SRES. The USM 
62 a^so utilises the root key K^ and the random number 
RAND, and an sigorithm AS to cafeuiate the session Hey 
K^. T^e SRES, caiculafed by the UiM 62. is r^umed to 



the visi^ng locatson register 50, which compares this vaJ- 
ue from the SRES received frorn the home locatsoh reg- 
ister 40, in order to authenSicate tha subscriber using the 
mofc>iie terminarso. 

^ [mt2] fn the GSft^ "challenge/response" authentica- 
tion system, the visiting locatiph register 50 nevsf re- 
ceives root key K; being heid by the UIM 32 and the 
home location register 40. The VLB 60 aJso does not 
need to know the auther^tjcation algorithms used by the 

10 HLR 40 and UM 62, Aiso» In the GSM authentication 
s<^eme, the triplet must be sent tor every phone caiJ by 
the home location register 40, RAND is 128 bits, SFSEB 
js:32 bits, 3M % \s 64 bits, which is 224 bits of dista tor 
each request, which is a significant data bad. The main 
focus of this description is the 64 b^ts ^ong K,. session 
ciphering key which is used for user information confi- 
dentiality. When the mobile terminal roams into another 
serving system whiie in the cali, the session key Kq is 
forwarded f rem -^le old VLB to the new target serving 

^0 system. 

[001 3] FIG. 3 shows the U MTS security scheme which 
is an enhancement to the 2G GSM scheme. Similar to 
the GSM schemev whien the mobile terminal 90 places a 
call, a request is sent to^e home loca^oh register 70, 
which sends an au^entication vector-AV to the Visjted 
Location Register (VLB) 30 which contains five elements 
instead of the three elements of a tnplet. and Iherefors 
is ca?led "qiiintupiet". This vector contains the 188 bit 
RAND, the 64 bits SRgs, the AUT^i va^ue whfeh carries 
the auStientication signature of the home network, and 
two session security keysr the 128 bit ciphering key OK 
and {he 128 bit integrity key IK. These latter two. keys, 
CK and 3K, are the focus of fhis description. 
[001 4] The vector is provided to the visiting ioca^ion 

^5 register 80, whk:h passes the random number BANO and 
the AiJTN to the mobile termihal 90; Th^e Ulf^^ i52 receives 
the random number BAND, and utilizjng the root key K;. 
the random number RAND, and an defined algorithm ic 
functions, validates the AUTN and caicu^ates a signed 
response SR£S. The mM 92. also utilizes the root Key 
and ihe randcsn number RANiD and defined algoHthmic 
functions to calcuiate the session keys CK and IK. The 
SR^S, caicuiated by the U\U 92, is returned lo^ievisjting 
iocation register 80. which compares this value from the 

45 SR£S received from the home kJcation register 70 in or- 
der to authenticate the subscriber using the mobile for- 
minaJ 9G. A focus of this descriptian are the 128 bits iqrig 
sessksn ciphering key CK and 128 bife long session in* 
tegnty key IKWhieh are used for user information confi- 

50 der^t iai ity and session Integrity proteGtion . Once t-hs sub- 
scriber is success5fuiiy aufhenticated, ihe VLR 80 actt- 
vales the CKand iKreeelved in this authenticatldn vector; 
if ^e ffioblie terrnmaifoarns into ariofher serving system 
whiieon the calf, theCKanrf §K are senttd^e new target 

55 serving system. 

[001 The 2G IS-41 authentication scheme, used m 
TOMA and OPI^A systems. i$ iiilustrated In FIG. 4. 
This au^enticatipn scherne involves a tiome looatioh 
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register {HLR) 100> a visiting location regfeler (VLB) 1 10, 
and a mobile tanininal {MJ} 1 20, which Garj Inciude a USM 
1 22. The root key, known as the A„k8yv js stored only in 
the HLB lOOand the U^?^ 1 22. There is a secondaf^^key, 
known as Shaj-ed Secret Data SSD. which is sem to the 5 
VLB 110 drn'mg roaming, SSQ is generated from the 
A^key ushg a Gryptograp^ic aJgoHthm, The procedure 
for ge?watiR@ the SSD Is desorifoed elsewhere and is 
known to those skii^ed in the art . When Ihe 1 20 roams 
to a visitif^Q network, the VLR 1 10 sends an authentica- 
Won requsst taihe HLR tOO, which fesponds by sei-^ding 
that sut)sonber's SSa Once thet VLR 1 10 has the SSd, 
it can^uyientkjatethe 3Vfr 120 irfcd^endentfy of the HLR 
too, or With the asslstahce of the HLR 100 as is known 
to those skiiied in the art. The VLR 11 G sends a random 
niimber RAND to the UIM 122 via the m 120, and the 
U\M 122 calculates the authenticatian response (AU- 
THR) usm f^AND and the stored value of SSD in Um 
122. AUTHH Is mtur?ied to the VLR 110, which che<5ks 
It against the vai ue of Ay TH R th at it h as independently 20 
caJculated in the same manner, the two AUTHB vaJues 
match, the fy1T120isdecJared y&m. ThisproGess repeats 
when the wireless unit attempts to access me system, 
for fr^stance, to initi^e a call, or p answer a page when 
the call is received, ^5 
[OOiS] Iri these cases, the session seeinity keys are 
also generated To generate session security keys, Jhe 
internal state of the computation algofithm is presen/e:i 
after me authen^catlor? calculation, S^vet^l ses^ se- 
eurity keys are then calculated by the UIM I22^d the ^ 
VLR 1 1 0 using ma current vaK^e of SSD Specif Ically, the 
520 bits Vojce Privacy Mask (V'PM) is computed, which 
is used for concealing the TDMA speech data throughout 
the cal{. This VPy js derived at the beginning of the call 
ijy th e Ul M and VLR, and , If the mob jJe roaitisirvto ano^er 
serving system dyi'ing th^e caJL the VPM is sent to the 
new sen/ing system by the VLR. vVhen the call is con- 
cfuded, the VPM is erased by both the UM and the serv- 
ing VLB. Likewise, the 64 bits Signaling Message En- 
cryption Key (SMEKEY) is computed, which is used tor -^o 
encrypting the TDM A signaling Informatjon throughout 
the calL This SMEKEY is derived at tie beginning of the 
caii by the UM and VLR. and, if the moblte roams into 
another serving system dyring the call, the SMEKEY is 
sent to the new serving system by the VLR. V^hm ^e 
calMs concluded, the SjVI£K£Y is erased by t?oth ^e UlM 
and the serving VLR. 

[0©1 73 Tlie 2G CDMA scheme ifses a similar rnelhbd 

of key distribution, sxcept, instead of the 620 b^ts VPM, 
tt is using the 42 Least Significant Bits {LS8) at the VPM ^ 
as a seed into the Private Ldhg Code Mask (PLCM). This 
PLCM is used as ah addittenalscrarnt^ing majSkfor the 
informatten beforeits spreading. The 42-bft PLCM is con- 
sistent thfOLighout the can and ss sent to the new serving 
system by the VLB if fhe mobile roams into another serv- 5$ 
mg system . T>ie SMEKEY is used in the same w^y as In 
Jhe TPMA based scheme, 

imi S3 The 30 seouiity sc^em?& uses the UMTS 



security schemSv which is basse? on the delivery of the 
128'bits ciphering key GK and 128-bits integnty key IK 
to the vbited system VLR, whiie the same keys are corn- 
puteci by the UiM. 

[001 9] Key conversions as a wireless un It roams be- 
tween pommunlcalidns systems should be performed in 
a way mat even If lower security of 2G schemes and 
algorithms is compromised and partial keys are recov- 
ered by the ir^tfijder, the 3G session keys would stifi main- 
tain the same level of ssGurity. Such conversions will al- 
low a subscf iber to "roarri globally" maintaining the se- 
curity of commoniGations data and integrity of communJ- 
cations sessjon. 

imm] MENSZES: 'Handbook of applfsd cryptogra- 
phy' 1 997. cm PRESS LLC. US XP0021 91 21 3 teaches 
that a key-encrypting key K may be modified in a peruse 
basis by a counter H, In particulaf , the key-ancf ypting K 
may l:^ modified by the cQunter N by peilorming K e N; 
£0021 3 According to one aspect of this jnvention there 
is provided a method as claimed in cSafm 1 . 
[0022] According to another aspee Lot this invention 
there is provided a key conversion sysiem as claimed in 
claims. 

[0023] The present invention is a key convefSk)n sys- 

tern for determinlsticai^y and reversibiy converting a first 
key value of a first communications system into a second 
key value of a second communication systefTi. For ex- 
ampJs, the key eonversipn system generates a first in- 
termediatte value horn at least a pmion of the first key 
value using a first random function. At least a portion of 
the first intenT?edlate value is p?xjvided $0 a second ran- 
dom function to produce a second value. An exclusive-or 
is pefformed on at least a portion of the first key v^jue 
and at Jeast a portion of the second vaiue to generate, a 
second intermediate value, At least a pprEion of the; sec- 
ond intermedJate value is provided toathird rahdom func- 
tion to produce a third vajiue. By performing an exciU' 
sive-or on at teast a portion of the third value and at least 
a portion of the first imermediate vafue^ the key conver- 
sion system produces at least a first portion of the second 
key value, ajid at least a second portion of the second 
key value is produced as the second intermediate value. 
The key conversion system Is detemiinistk; In that, given 
a first key vaiue, a wireless unit and the wireless com- 
munications system will determine the same second key 
value wlthoijt requiiing an exchar^ge of Information, 
[0CS41 TTje key conversion system is reversible or 
bl-direotionaMn that, if1h0 wireless un^ 
to the first communications system, the second key vaiue 
of the second communicators system is converted back 
to the first key value of the first commuhlGsatlons s^'stem. 
For example, tlia k^y convej"Sk>n systeni provides the at 
least second pGrtFO?:^ of me second key value to the third 
random function to produce the third value. The first in- 
termediate value 5S generated by parfon-ning an exciu- 
sive-oron the first portion of the second key value and 
the thsrd value. Using the second random function, the 
key conversion system generales^e second value from 
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the first inSermedfete vaiue and pfoduces at least a por- 
tion of the ^rst Key by pejiorniing an exciusive-or on the 
second value and the second poition of the secosid key 
vaJue. The key conversjon sysiem provides improved se- 
cuiity because even If almost all of the second key vaSue 
is Known, til e first key yaiue caainot eaai^ be recovefed. 
Simfeily, if^fTiost an ofteflrst key vaiue is known, me 
seeond k^y vaiue is not easily r^oyeffsd. 

BRBEF OeSCBgFTION OF THE PBftWtNQS 

[OC^SSl Other aspects and advantagiss of me present 
invention may becorne apparent upon reading treft^low- 
ing detailed description upon reference to the draw- 
ings in which; 

FIG. 1 shows a generaJ diagram of wireless commu- 
nicattdns systems for Vi/hlch a key cofi version system 
embodying ^8 present inventjon can be used; 

flG. 2 IS a block diagram iiliistraling the basic com- 
ponents of tiie prior art 2^3 gJobai system for mobiles 
(QS?^) netv\/ork and security messages transmitted 
in the 2Q GSM network; 

RG> 3 tis a block diagrajTi jllustrating the basic com> 

ponents of the prior art 3G U^^TS netv^'ork and miss- 
sages transmitted in the 3G UMTS netwofk; 
f\Q. 4 is a biock diagram iifustrating the basic Gom- 
ponents of the prior art 20 iS-4i network and mas- 
sages transntitted in the prior art 2G fS-4l network; 
FIG. S js a block dtagram illustrating how a user 
roams from a TDMA network Into a generic 3Q 
network; 

FiCS, 6 i:S a block diagram lilgstrating how a user 
roams from a generic network into a 28 TDMA 
network; 

FIG. 7 Is a blDds diagram lliUstreitin<3 how si tjser 
ro8;Tis from a 2G eb^A heUvof*<; Into a generie 3Q 

network:, 

FiG. 8 is a block diagfam illustrating how a user 
foams from a generic 30 network Into a 2G CDMA 
network; 

FIG. 9 is a block diagram illustrating how a user 
roams from a 2G (5S?i/1 network into a generic 3Q 
fretwork; 

FIG. 1G is a btoek diagram iJlustrating how a user 
roams from a generic 3G network into a SG GSM 
rsetwork; 

FIG. 1 1 te a flow diagrant of an ernbcKijmsnt of the 
fofvvard conversion Sor tie key conversk>n system; 

and 

FiG. 1 2 is a flow diagram o? an embodiment of the 
reverse oonver sion for the Key conversion system, 

lOO^SJ An iiiustrative embodrment of ths key conver- 
sion system is described betow which provides an im- 
proved key conveTsion lor a wirebss unit which roams 



between first and second wlretess communications sys^ 
terns. Ti-te key con version system determlnisticaily and 
reversjbly converts an m bit key value of a first commu> 
mcalions system into an n-brtkey value of a second com- 

5 rfiijniGation system, in certain embodiments, the key con- 
version system use three random functlQns f, g and h 
where random functtons f at^d g map an m bit input siring 
into an n-m bftslnng resemblinQ a random number, and 
the random funaiion h maps an n-m bit string into an m 

^0 bit stnng rasembiing a random number. A random tuno- 
tkjn maps inputs to outputs such that the outpute are 
iin^'edictabie and random tooking given the ir^put . In the 
embodiments described bek5w, the random f unctior^s are 
random of acles \A,iiere everylime an1nput1s given it maps 

t5 to the same output. Additionaity, in the embodiments de- 
scnbed below , the random functions are pubf iciy known. 
For e.j?amplev the random functions are known by the 
wir^lesscommunieatiohs systemCs) involved m the inter- 
system handolf andll^e wireiess m\t 

^ [002?] The Key con version system is deterministic in 
that> given an m-bit key value, a, wireless unit and the 
wireless communications system will determine the 
same n-bit key value witout requiring an exchange of 
inferma^bn. The key conversion system ss reversible or 

2S bi-di reetfonaJ In that, If the wireless iinit Is handed off back 
to the first communications system, the n bit key of the 
second communications system is converted back to the 
m-bil key of the first communicattons system, f"he key 
Gdhversiph system provides improved se<jurity becmtse 

30 eyenlf almost ail of the n b1 key value Js known, the m 
bit key value cannot easify be recovered. Simnariy, if al- 
most all of the m bit key value . is known, the n bit key 
value is not easily recovered. 
[0028} Depending on^e embodiment, th e key convert 

v^^' ston system can provide secure^ deterministjo and bi-dii- 
rectionai key converslbn when a wir^Jess uhit rbanils be^ 
tvveen two wireless communjcations system, such as be- 
tween an cider communications system and a newer 
communications system. For exampJe where the same 
reference numerals indicate fike compor^ents, the iS-41 
30 security scheme of FIG; 5 converts,: at the VLB 80 
and at the wireless unit 120 (or 122). the 520-blts VPiM 
in combination with the 64 -bits SMEKEV' received from 
the VLR 110 to the 128'bit CK and/or 12S"bit when 

^5 the wireless unit roams into the 3G system from the 2Q 
TDMA system. Converse^v as shown in FJO:. &/the IS- 
41 m security seh€»T^e converfe, at the VLH 80 and tiie 
wireless unit 90 (or 92). me i gS-blt OK and/or the 12:e-bit 
IK to the 520~bits VPM in combination with the 64-bits 

50 SUBKEY when the vvireless unit roams into the 2Q JDMA 
system from the 30 system. The VLR 80 pt'ovides the 
VPM and me 5J^^EKEY to the VLR 1 10. 
IQ&S^l As shown in FIG. ?. tS-4l ^ security scheme 
converts, at the VLR 80 and at the wireless unit 120 (or 

M 1 22). the 42^bns PLOU in combination with the 64-bits 
SyEKEY received from the VLR 110 to the 128-bit OK 
and/or the I^B-bit IK when the wireiess unit roams into 
the 3G system from the 20 CDMA system. Convarseiy, 
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as shown in F^G. 6, ihe 3G secuFity scheme con- 
vem, at VLB so and at \m wireless unit 90 (or 92), 
the 128-bit m and 12S-bit \K to the 42-b3ts PLCM in 
GombinatlOfi wit^ the 64-t>?ls SMEKEY when the mobile 
roams ?ntQ the 2G< CDMA system from the 3G system. 
The VLR 80 prpyldtes t^e PLCM and the SS^/iEKEY to m& 
VLR 110. 

[^^0] As shown in FiG. 9. the UMTS 3G security 
scheme converts, at the VLB 80 and at^he wirefsss m\t 
50 (or 62), the mceivedfrorn the VLR 50 to the 

128-bit OK and/br the 12a-bit tK when the wifeless unit 
roams into the 30 U^-^tS system from ma 2Q OiSM sys- 
I&rn, Conversely* as showri in FfG, 10, the UMTS 3G 
security systerh converts, at the VLR SO and at ^e wire- 
less unit 90(or 9a); the 128-bit OK ^ndfoT the 
to the 64-t)ft when the wireless unit fGams imo the 2G 
QSM system rrom the 3G UMTS system. The VLR 80 
provides the Kq to the VLR 50. 
[0CJ3t J Accordingly* in cerraln emt}0diments, a wireless 
nmt that suppoils enhanced siibscriber authentication 
(iESA) andi enhanced subscriber privacy (ESP) in a first 
communfcatOTs system /such as a newer 30 communi- 
cations system, rnay imptement multiple privacy modes 
to enable the wIreJass unit to provide piivacy using older 
afOofithms irs a second communications system, such as 
an older 2B TDUA cornmunicatbns system. Such a wire- 
less unit can provide other forms of privacy after inter- 
system handpff to an MSO for an olc^er second cpmmU;- 
nicatSdns systerrf that c^es not suppc^'t ESP. When hand- 
off to 1t»8 oUAer second commifnications system Is re- 
quired, the key conversion system can convert the key 
values for :he newer first communications system to the 
privacy keys needed for the older privacy algorithms sup- 
ported by the older second communications system . The 
keys for the second oommimications system can be sent 
to ihetargetMSC of ^eseoond communlca^ns isystejh 
from tJie MSG of the first communications system ,, Since 
the key conversion system is deterministic, the wmless 
unit Will also have the keys for the second communica- 
tions system by pefforming the same cof^version as the 
first communlcatbn system using the key coriver&lon 
system of the present invention , 
[00321 The key conversion system maps a key(s) f rom 
a first system into a key(s) of a second system and back 
again. For example, when performing an intersystem 
hsndoff between a 3G oDrnjpqnfeatbns systesTJ and a2G 
TCMA system, the key icpnverslon systein can map a 
cipher key CK thfo a v™AvWSyS^KEY {VS) pair. In mis 
embodtment, the key conversion fur^ction possesses the 
following pfopertjes: 1) A 128 bit C^K is mapped into a 
584 bit VS; 2) The fur^ction is revereifoJe and maps back 
a 584 bit VS Jnto a 128 bit CK; and 3) The fursciion is 
secure ri ^e s^se that partial kriowledge of the 584 bit 
Key will not allow the adversary to recover the OK, nor 
wiii partial knowledge of 128 bit key GK aiiow the adver- 
sary to recover the 5B4 bit VS. fn certain instances^ for 
ejcam pie when the cat! originates in a f irst oomm Lintcatlon 
s^tem having a terger key value thar? the target second 



communications system^ the conversion system rnaps 
key value of the first connmiinlcation system to a key 
vajue of a second comrnurjications system. However, \i 
the wireless unit returns to the tirsi communications sys- 

^ tem, the key conversion system maps the second k^y 
vaSue to a sgbsequefit key value for f he first Gommu-n?- 
cations syBtem which is r^ot necessarily the same as the 
original key vaiue. Subsequent handoffs back to the first 
cofTirnunjcations system from the second cqmmunica- 

'^0 tjons system produce a key vaf ue which is the $ame as 
the subsequent key vaiue. 

[QD33] For example, when performing an intersystem 
handoff for a cal[ onginating wit^i a 2G TDMA system to 
a 3G sysiem, ^ he key conversion system can map VP- 

?5 E\/?ASK/SMEKEY (VS) pair into a cipher key CK. k\ mis 
embodiment, the Key conversion function maps the 584 
bit VS snto the 126 bit CK: \{ the wireless unit is handed 
bs^ok to the 2G TfMA system, the conversion system 
maps b^klhe 12a m CK into the 584 bit VS, but the 

20 new 584 bit VS may not be the same as the ohginal 584 
bft VS:. Subsequent handofi's to the 2G TDMA system 
from the 3G systsm will maintain the new 5B4 bii VS, 
Aithough this should not effect the security or operation 
of the wireless unit, the 1 28 bit CK is mainiained the sayne 

25 all along ^n this embodiment 

[0£^343 in th is ern bodjment> the key con versior? system 
includes conversion lunetions available at the iVtSC in 
the newer system and at the wireless urijt which con- 
vert key values, for a first commuhtealic^s Sy^temi^ SM 

30 as ES P keys; into key xralues of a second communica- 
tions system, such as keys used for older privacy algo- 
rithms. In this example, the conversion function should 
convert the 1 2S t>it CK key in the new f irstcommunication 
system to VRMASK/'Sf^EKEY (VS) keys tor the oider 

^'s secprjd communication systern, VFMASK is composed 
of 260 bits rhask for each direction and SMEKEY Is 64 
bits ion^, for a lotal ot 584 bits to be used by the older 
communication system, in case of an intersystem hand- 
oft from th^ old communication system to the new com- 
h"iunicatipn sysiem, it may be usefui for the convej"sion 
function, to be neversifoie. TT'fe ok:! commurticatlon system 
does not know about the new com municaiion system end 
will transfe? aJl 584 bits to the new communication sys- 
tem. Tlie new communication system upon receivinci the 
584 bit key wiJI realize that it needs to recover the 1 28 
bit CK, and hence wii^ compute the CK ton th^e 5B4 bit 
k0y, 

immj Tlie VS keys created at the wireless unit and 
the MSG shouid be the same, l^is means the caicuiat^on 
5Q of the VS keys must be based soieiy on CK and any other 
qustfititieskhown by boththe 3\^SC andihe wireiess unit. 
Odierv^se, any new quantises random number) 
would have to be exchanged between the wireless unit 
and the MSG prior to the conversion. The key oonvarsion 
system does not require the es^change of information be- 
tween the wireless unit and the new MSG and determin- 
isticaJfy maps a CK to VS keys and vs keys to a QK key. 
Additionaliy, weaknesses in the o?d cornmur^i- 
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cations systern shouEd not maKe the new communjcig- 
tons; system weak. One can achieve Ms by making the 
key convefsjon function cryptographtcaffy one way. so 
that even if the mtifB key of old communication sys- 
tem, smh as the VS key in this eJiampie, m revaaied, the 
adversary oan not recover the key of the new communi- 
cation ^^epf>, such as the CK key in ttiis example. How- 
ever, thjs wilJ make the system non-reversibio and, as 
previoiisiy noted< the key conversion system: should be 
reversjbis. KjeverthBless, the key conversion system can 
be reverslbJe and sti^l provide aimost all ot the security 
Of a noR-revsrstote f linear?: The secijnty of the key con- 
version system in this example preyieihts ah adversary 
from recovering any part of the OK key even If almost a\t 
of th8 V''S key is revealed except a smaii part. The adver- 
sary cm guess ihe smaJl part, but he shoijid not be abie 
to do any foettef. This aspect is imsxjrtant because parts 
of ypMABK may be some\^ateasy to recover^ and the 
entire yPMASK may be easier to recover ^an tie BUB- 
KEY. Yet If some part qI the old system is hard to recover 
than the adversary wiii not know anything about OK. A 
similar security'' can apply to CK so that a pa^tia: knowl- 
edge of GK should not lelf the adversary af^yJhirig abou^ 

va 

in certain emisodimentsv the oonyersion fuihc- 
tion has two modes^/^e forward convers^n and the re- 
verse conversEon, tn the mampi& of roamsng frorn the 3G 
Opmmunications system to the 2G TDiMA commonsca- 
tlons syst8m> the forward conversion takes ^e 12S bit 
randomly created CK Key and expands It to 584 bit VS 
key. The reverse conyerajian function takes the 584 bit 
VS keys and maps it to a 12B bit CK key. In this embod- 
fmenl. the forward conversian function is composed of 3 
random f u?>ctions f , g and h whfch map a given input into 
a random output, in thi s erhbodiment, those iSire not sacret 
functions but pubHe random functions known to every- 
body, Including the advei^ary« Tt'jese pub^fe random tunc- 
tjons are fef erred to as random oracles in the Irterature. 
These randonvoracias can l^e implemented using hash 
junctions and black ciphers as described below. In this 
example, the thr^ random liinctioos are f,g, h w^ere I 
and g map a 128 btt mput into a 456 bit random value, 
and h maps a 456 bit (npsjt into a 128 bit random value, 

FiQ. 11 shows a ftow diagram of an embodi^ 
ment of the forward conversion of the key conversion 
system for converting an rjvOit key vaiiie KEY1 a first 
communications system bnto art n-bit key value KEY2 of 
a second cofY)munlGatk)ns; systemvTlie m bit KEVi is 
provided to a random function f (block 200) which maps 
an m -bit string into an n-ra bit random nurr^ber or first 
intermedjate value sR. In the exampleof roarrjing from the 
SG communicatiions system to the 20 TDMA communi- 
catjons system, the conversion system cofjverts a 126 
b^t key CK fntoa 584 bit key {VPMASK, SMEKEY). The 
128 bit key CK is provided to the random function • (200) 
which maps the 12S bit CK into a 456 bjt randorrj number 
Of fjr^t Interrnediate value R. The jntermediate value R 
Is provided to a fandom fiihctiQfi h (btock 21 D) >ft*iich 



maps an }>m bit string into an m bit random number. Tha 
m-bit output of the function h (210) Is subject to an ex- 
clusive-or (XOR 220) with the m btt KEY1 to produce an 
m-b?t second intermsdiate value T. the example of 

5 roaming from the 3<S com:munications system to the 2Q 
TDM A communications system, the 456 bit intemiediate 
vaiiue R Is provided to function h {210).. The ttmetidn 
h (210) maps the 456 bit vafue R to a 128 b?t random 
number which is XORad wJth the 128 bft CK jo produce 

'^0 a 12^ bit second Intermediate value T, 

[mm] In the embodiment of FIO. 1 1 , the m-bit ?nter' 
mediate vafue TJs provided to sa random Jtinc^rJ g (biocR 
230). The random fUncEiph g (bksck 230) m^s an m bit 
string to an n-m bit rarUdbm number which is subject to 

?5 an exciusive-or (XOR 240) with the n-m bit intermediate 
value R to produce an n-m bit key value V whjch can be 
used as a key, i<eys or portjon(s) of f<ey{s). In this em- 
bodrmmt, the vaiue V is a pdrtfdn of the value KEV2 
which can be used as a key. Keys or portk?n^s) of k€y(s). 
In this embodiment, the n bit key KEY2 inc ! udes the n-^m . 
bft value V atong with the m bit second intermedjate value 
T. In the exahiple of roaming from the 3G commuhicar 
tions system to 20 TDsVlA communjcations system, 
the randkjm fiihction g (230) msfis the 128 bit inteninedi- 

^ ate vaiue T into a 456 bst random number wh;ch is subject 
to the exckisive-or {XOR 240) w?th the 456 bit interme- 
diate value T to produce the 456 bit key value V. The 456 
bit value V and the 1 28 bit intermediate value T form the 
584 bit key y^lue KEY2 which in this example can be 
divided into the VPMASK ar?d the SilCKEY for 2G JDUA 
systems. 

[1)040] The forward conversion of the CK of the 3G 
system to the VPMA3K and SMEKEY of the 2G TDUA 
system can be written accordtng to the foikjwing steps. 

1 . R := f(CK) /"create a 456 bit value front 128 bit CK 

by applying f 

2. T ^ h(R) XOR CK create a 128 bit value using h V 

3. V -g(T) XOR R /* create a 456 bit vakie us?n^.g */ 
•^^ 4- Output T.v r outpiit the 584 bit value 7 

[0D41J FsG. 12 shows a flow diagram of an embodi- 
ment of Ihe reverse conversion of the key conversion 
system for converting the n-bit key vaJue KEY2 of the 

4$ second cornmunieations system back into the m-bst key 
value KEY1 of the first communicatjons system., jin this 
embodiment, the n bft key yaiue KEY2 Is dfvided into an 
n-m bit first portion or valuie V and an m-bit secof^d portion 
Of value T, The m-foit value T 1$ provided to the random 

$0 f LsnGtlon g {block 250) which maps an m-bit string ^nto an 
n-m bit rar^dom number. The n-m bit random number is 
subjected to an e>{<cii^sive-or (XOR 260) witi t?ie n-m bit 
key value V to pr^diice^e n-m bit ^r st fhterniediate vaiue 
R. In the example where the wireless unit roams back to 

55 the 2G TDMA system from the 3G system, the conversion 
system converts the 584 bit key (VPtmSK SMEKEY) 
into a 12B bit key CK. The 128 bit key vaiue portion T ss 
ipM'pvided to tm f andom functiGFO 8 f2§Q) is^jdn maps the 



7 



1 213 943 B1 



14 



1 ZB bit T into a 456 bit raRdQm nuniber, The 456 b?t ran- 
dom niiPftfeDef gxoiuslve-ORed (XOR 260) witN the 450 bit 
key value V to produce the 456 bit first Interrnediate vaiue 

im^^l in the embodiment of FIG. 1 2, tho n-m bit first 
int@rrnedEat^ vaSue R is f:»;0vicSed to a randbrn ^^Jnc^n h 
(biock ;^70). The rancbm f urictbn h (btcck 270) maps m 
n-m bit string to an m bit fandom number which is subject 
to an 8J£cliJsiv8-or {XOR 2S0) with the m bit key value T 
to produce an rrs bit key vaiue KEY1 whic^i can be used 
as a Hoy, keys or port«on{s) of Key{s). In the exampfe 
wfi^re thfiwsraiess untt roafTis back lo the 20 TO^A sys- 
tem from the 3G systern, rahd(»n fubctlon h (270) 
maps the 456 intermediate value R into ^ 1 28 t?it ran- 
dom nuraber whjch is siibject to an exciuBive-or (XOR 
2aO) with the laa bfl key value T to produce the 128 bit 
key OK. 

{0043] The revarse conversion of tSna VPMASK and 
SJ^EKEY of the 2Q TD^A system to the GK of 3<S 
system cari be vvritten according to the fqlloyv^ir^ steps. 

1 . Set T,V to 584 bit Input /* T [s i2S bit part, V is 
466 bit part Y 

2, R = g:(T) XOR V /* cf eiate 456 bit value R using 
VY 

a eK = h{R)XdRT 

[0944] The randoo"! functions l/g and h can be {mp^e- 
merited using hash functkjns aad/bf block ciphers. To 
implement t^^8 ^andDrn functions I and h, which can 
be referretd to as random oriBECies> cyptographlc haish 
junctions, such as She functions known as known as SNA- 
1 sVlDS. RIPE-iVID. can beused So instantiate the random 
functions frg> h. Ahash function can be lyplcaHy charae- 
terlzed a f unCftipn «yhich maps inputs of one length to 
outputs of ahGlher . ar^d given an output, tt is not feasible 
to determine the input that wil^ map to the given output. 
I\^oreovef, ii is not feasible to find two inputs which wili 
maplo the sarr^e output. En using a SHA-1 hash function^ 
each cal( to the SHA-1 ha^h function has a 160 bit initial 
vector {IV) and takes a S12 bit input of payload whichis 
mapped into a 160 bit output. The IV is set to the iV 
defined in the standard for SHA-1 hash function. The 
payload will contain various input arguments: SHA{Type^ 
Count, Jnput, Pad) where Type is a byte s/aJue which de- 
ilines the various tunctions f> g. h. Function f and g wi:i 
call SHA multiple tirnes, and Count is a byte value which 
dJfferentsates the multiple calfe. Input is the input argu- 
ment to the functions f, g, or h. Pad is zeroes to fill the 
remaining bit positions in the 51 2 bit SHA payioad. Below 
is an example procedure for implementing the random 
functior? f, g and h using a hash function routine referred 
to as SHA, 

SHA{type, count Jnput, pad) 
f(CK): SHA(1, 1,CK. pad) 
SHA{1, 2, CK.pad) 
SHA(1, 3. CK, pad) mod 2^136 



h(B); SHA(£, 1. R, pad) mod 2-^128 
g(Tj: SHA(3,1, T. pad) 
SHA{3, 2, pad) 
SHA(3, 3. T. pad) mod^ 2^136 
^ Block ciphers, like AES, Sim be used to create func- 
tions tg, mdh, 

f(CK): Eck(1);^gk(2); ^k«^); Eck(4) mod gA?2; 
h{R): E}<o{B1 XQft5)XOR EKo(R2 XOR 6)KOB^o 

(R3 XOR 7) XOR 

giT): Bj^: Et;(10); %{1 i); Brim mod 2^72; 

where in f(GK)» CKis used as liie key In the block cipher 
and 5 1 2 bit stream is prddueed by encrypting t...4 in 

?5 counter mode The last encryption is trijneated fforr^ 1 28 
bit to 72 bit to get the needed 456 bits, in h{R), a public 
Key KO is used to encn/pt the parts of 456 bit R and the 
resUtting ciphertejcts are exciusiVe-ored together. R 1, R2^ 
and R3 are 1 28 bit values and R4 is the remaining 72 bit 

<S£> vaiue of R, padded with zeroes to complete 1 2S bits. 
n004§J Thus, the key conversion system provides bi-dl- 
recticnai, dGtsnninistic and secure conversion of a key 
(s) or portion(s) tiiereof between first and seoond com' 
miinicalions sy^tefhs; The key (^onverision system se^ 

^ cure in the forward direction In that given most of the 
output KEy2 (for exampie. T,V), an adversary cannot 
recover KEV1 ^forsx ample, CK). 5n the exam pie with the 
2G TD.MA and 3G systems, if ail of T ^r^d most V except 
say 64 bits are known, then parts of R can be recovered, 

SO but not all of R by calcuiating R ~ g(T) XOR V. An attempt 
can be made to recover some of CK by performing GK 
^ h(R) XOR T. However, since ail of B is not known, even 
a bit of information about h(R) cannot be recovered, as- 
suming h is a random function. Hence no information can 

35 be recovered about CK, Similarly; if ail of V and part of 
T are known, Except say 64 bits of T. then no ^formation 
about CK can be recovered. Since we do not know all of 
T, the intermediate vaiue R cannot be calcuiated using 
g(T) XOR V. Thus without the intermediate vaiue R, no 

•^0 progress can be made in recovering any information 
about CK. 

[0046] Similarly, the key Co?! version system is secure 
m the reverse direction in that given most of the output 
KEYi (for example, CK), an adversary cannot recover 
KEY2 (for example. T^ V), In ihe ejtampfe with the 2G 
TOUA and 3G systems, if a part of GK js known, no in- 
fomna^n about T,V can be recovered. Since we da not 
know alJ of CK, ^e Intefmediate value R cannot be cal- 
euiated using t{CK). Thus without ihe intermediate value 
$0 R, no progress cart be made in recovering any tnforma- 
tion about T.V. 

[0047] in additlof? to the emboctimentis) ciescribec! 
above, the key conversion system cert b© used whidh 
omit and/or add input parameters and/or rari'iiofn f uno- 
S5 tions or otheroperationsand/or use variations or portions 
ot the described system, For example, the key conver- 
sion system has been described as convsjting t^etweer? 
h bit key of a fkst Ci^hiunicatfbn ^tem and ah m bit 
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k^y of a secQnd comfriunteatfons system using random 
oracles f, g and h where the randpm oracles f and g map 
an m bit string to a n-m bit randorf! number and #"i8 ran- 
dom Oracle h maps a n-m bjt string to an m bit rasidom 
number. However, different random furictions casi bo 
well as d iff arer^t Of addttionaj functions whicti 
map X bit striogs to y bit randc^rj niimbers and/or map y 
bit strings to x bit randorr; numbers vvhere x or y can bs 
equal to n-m or Additionally, the m bit key vaiue for 
the first comrfis^nications system can be a key, keys or 
po:ftio;?>(g) thereof, andiha n bit key vaiueior the second 
communications system ca^ be a key, keys or poft300{s) 
hereof. For exampTe: ^e ajsampje me 2Q TDMA 
and 3Q systems, the conversion is bstw^n tho 12B bit 
CK of the 3G system and ^^fe 564 bit key value tor the 
SMEKEY anol VPMASK of the 2G TOm. system , but the 
con version GO uld be between a 256 b?t key vaiu© of CK 
and iK olthe SG system and tne 584 b«t key value forthe 
SMEKSY and VPMASK of the TDMA system. 
[0048] 1n the example described above, a forv^ard con- 
version is from the m bit key value of the first communj- 
cations system fo the n b't key va^ue of the seconcj com- 
munioatioos aystem: where thefifstGomniuntotois sys- 
tem correspa^ds to thetiew sys^ ahdUie secorid com- 
muntcaticms corresponds to ihe old system and where 
m:<n. However, depending on the embodiment, first 
communications system can be oJder, and the second 
commiinications system is newer. Astern ativeiy. the for- 
ward convofston can be the conversjon of the snialier 
siz^ key vafue of one commiinications system to the larg* 
er bit size key value of another oommtjinjcatiohs system, 
and tr;e reverse conversion is the conversfon of the Sarger 
bit size kay value to the smailer s^ze key vaJue., Depend- 
ing on the embodiment, the convemion of different, larg- 
er, smaller and/or ^e same si^e^s) of key valua(s} be- 
tween; the different (Communications systems are possi- 
ble. 

[0040] Furtharmbre, the key conversion system can 
be used to handle the intersystem handoffs described in 
the FiGs 3-10 to convert a key, keys or poftion(s) thereof 
from one comrnunications system to the Key. keys or por- 
tloh{s) Itiereof of another commuhicjatidns system. Jt 
shoy li^ be understood that ditferehtrtotatfons, references 
and characterizations of the various values, i:nputs and 
architectiire blocks can be used. For example^ the func- 
tionality descrsbed for the key conversion system can be: 
performed in a horns authenticatiorj center^ home 
tlon register {HLB) , a home MSG, a vteiSng authenticatoi 
center, a visitor location register (VLB) and/or m a v^sitsng 
MSG; iv^oreover, the key conversion system and portions 
thereof can be performed ir^ a wireless unit, a base sta- 
tion, ba^e station oonimi^er, MSG; VLR, HLR or other 
sub-system of ^e first arid/or second communioatidns 
system. It shpijld be MndmtOiixi^^ and por- 

tions thereof and of she desc?t>ed archftecture can be 
implemented in or integrated with processing circuitry m 
the unit or at different locations of the communlcatioris 
s^^tem, orineppljcatbn ^?ec)f?c integratMcifcujts, soft* 



ware-df iven processing cirGuitry vfs-ogrammabie logjc de- 
vices, ^rmwars, hardware or other arrangements df dis- 
crete components as would be understood by one of or- 
dinary skill in the art w^th the benefft Qt this disctosiire. 

& What has been described ;is merely i Jitistrattve of the ap- 
piicaisofi of the principles of the fB^esent invention. Those 
skilled in tha art will readily recognize that these and var- 
ious other ffiodtficatsons, ar rangsments and mefhodB can 
be made to the preser^tinvenfion withotif slrlctiy following 

10 the exemplaj-y appiications illustrated and described 
hefeja and without departing from the scope of the 
preserit inver^tjon. 



^5 Claims 

1 , A method of converting a first key value (key 1 ) for 
afifst communtcatsons system to a seccfr^d key value 
(key 2) of a ^«x)nd communications system, said 
5© method CHARACTEBJ^^D BY: 

generating a firsi intermediate vaJue (R) fmm at 
least a porlion of said first key value (key 1 ) using 
a first randohi lunetron (f); 

^ providing at least a portion of said first interme- 

diate value (R) to a second random function (h) 
to prodoce a second value; 
performing an exc^usive-or (220) on at ieast a 
poftson of said first key value (key tj and at least 
a portion of said second value to generate a sec- 
ond intermediate vatue (T); 
providing at Eeast a portion of said second inter- 
mediate value (T) to a third random tunctjon (g) 
to produce a third value; and 

^ producing at least a f i rst portion ot said seepnd 

key value (key 2) by performing an exclusiverdr 
(240) on at least a portion of sa^d third value and 
at ieast a portion of said first intermediate vaiue 

mi 

40 

Tlie metJiod of d^im 1 enARAOTCi^^P 

producing at least a portion of said second In- 
termediate value (T) as at least a second portion 
of said second key value (key 2). 

3, THe me§iod of claim 1 CHAHACT^FSJ J^S p TH AT 
said generating comprises the step of: 

so providing said first key value (key t) of m bitsib 

a first random tunotion (t) to produce said first 
intermediate value (R) of n~m bits, 

4. The method of claim 3 CHARACT^R^;ZgD §N THAT 
55 saidfirst steps of providing and perform jng comprise: 

providing said n-m bit first intermediate value 
(R) to a second raaiclpm tunotion (h) to produce 



1? 



BF1 ;^13MaB1 



18 



an m bit sscorid value; and 

performing an exGlo^slva-Of (220) Oil said m brt 

first key value (key 1) and said fI"! bit second 
vaiU6 10 generate said second intermediate vai- 
(T) wSh m bits, 5 

^, The method of Glain-r 4 CHAHACTERI^D ill THAT 
■said second step Gf providing and said step of pto- 
duemg compnse: 

to 

pi'ovid^ng said m bit second jntermediat^ value 
(T) to a third random fiinction (g) to pfoduce a; 
n-m bit third vaiue; and 

performing an ^KOlusive of (240) on saki n-m bit 
thsrdvaiueandsaidn-mbitflrstintermedfafevaf- ^5 
ue <R) to generafe an n-m Ut first portion (V} of 
said second key value (key 2), 

The method ofdem 5 CHmmJBmZm BY: 

providing said m bit seoond jntermediate value 
(T) as an m bit second pofiion of S5jid second 
key value (key 2) having n m% 

?, The method of claim 2 CHARACimiiKZE0 ^ 
steps of: 

providing said secoric portion (T) of said second 
key vakie (key 2) to said third random function 
(g) to produce said third value: and 
generating said first Ihtermadlate value (B) by 

subjecting a first portion (V) of said second key 
value (key 2) to an exciusive-or (260) with said 
third value, 

35 

a. The method of claim 7 farther OH^A€TIEj:5g2ED 
BY: 

using said second random funetion (h) to gen- 
erate said second value from said first interme- 
diate yafiie (B}; arui 

producing at {®^t a portJOifi of ^atd first key by 
subfecting said second vaiue to an 8)?clusive-dr 
(280) with said second pcMtion (T) of said second 
key vaiue (key 2) , ^ 

a A key conversksn system for converting a first key 
value (key 1) for a first eomrnurilGations system to a 

second key value (Key 2) of a second comnriunlea- 
tion s system said system G H A?^ A0TEH3^,^D BY: 

processing circtiitry adapted to generate a first 
int^mfTBdlate vaJiie (B) from at least a pipit w of 
said first key value (Key t) u^ng a Jlrst randorn 
funotson (f ) to provide at isast a portion of safd ^ 
first intermediate value (R) to a secor^d randorn 
funotlpn (h) to produce a . second value, Jo per- 
form an exdusive-or {2m) on at tea^ a portjpn 



of $fa|d ^rst key value {key 1 ) and aUeasI a per- 
tiph of satd second value to generate a second 
intofrriediate value (T), to provide at least a por- 
tion of said second intefmediate value (T) to a 
third random teoijon fg) to produce a third vaJue 
and to pfoduce at least a first portion of said 
second key vafue ( key 2) by subjecting at least 
a portion of said thjrd value to an exclusive-or 
(240) m\h at least a portion of said first imterme- 
diafe value (R), 

10. The system of claim 9 CHAFIACTERJZED m imi 
sajd processirig circijitry is configured to produce at 
least a portion of said second intermediate value (T) 
as at least a second portion of saki ^cqnd key v^ue 

(J<ey 2):, 



1 . Frocede de Gonversion d'une premiere valeur de cl4 
{cle 1)d'un premier syst^nrtedecommunfeations en 
una deuxieme valeur diS cis (pie 2) d'un deuxi^me 
systtee de conr^municatidm; led^t prdc^^ ^tant 

la generation d'une prem iere vafeur intermedia}- 
re (R) k partir d'au moins una partie de ladlts 
premiere valeur de cie (cle 1) au moyen d'une 
premiere fonctlon ai6atojre (f) ; 
!a toufnlture d'au mdins urie partje de ladlte pre- 
miere vaieur intermediaire (R) a une deux^eme 
f eviction aleatoira (h) afin de produire une 
de uxieme valeur ; 

rexecution d'un ou exclusif (22Q) sur a^ moins 
une partie de ladite premiere valeur de ctie (cl^ 
1 ) et au moms une partie de iadtte deuxi^me 
valeuf af ifi de generer une deuxieme valeur ?n* 
termediaire (T) ; 

ia fourniture d'au moins une partie de iadits 
deu>ci^me valeur Intermediaire (T) k une troisi^- 
me fpnctidn Matjoire (g) afih de produire 
trolBl^e vaJeuf 1 8t 

!a production d'ait moins une premiere partie de 
Mite deuxieme vaieur de cle (cie 2) en execu- 
tant un ou exclusif (240) sur au rnptns une partie 
de ladite troisieme valeur et au moins une partie 
de iadrte premiere vaieur interm^diairs (R). 

Procede salon ia revendication 1 , CAf^ACTEHmE 

la productton d'au moins une partte de ladite 
d6U3«emie vaieur intermediajre (T) en tant du -au 
nxsins une deuxieme partis de Jadlte deuxieme 
valeur decl4(cf42). 

ProGid^ m\m Ja fevendk?a^h 1 , C ABAQTEBISE 
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fourniture de Jadfts premisre va^eur de (cie 

1) de m bits a line premf&re fonetlon a^eatoim 

(f) afm de produife ladite premf^re va]eur iritter- 3 
mediaire (R) de nm bita 

Procscie seion la revsndicatiGn ^, OAnACTEHlBB 
BH CE QUE iesdites prertiiems et^^>es de foumiture 
et d'execjjtion comprennent ; 

la fou rniture de ladite prefniere vater tntefme- 
diaire de n-m bits (R)^ u^ie deu)jidme fonctbn 
ai^atolre (h) afiri de produ^fe une deuxl^me va- 
leur de m bits ; et ^5 
I'execJJtion d'uri ou exciusif (220) sur iadlte pre- 
miere va^eur de cJe de sr; bits (cie 1 ) ladile 
detixl^me vateifr de m blfe afin de g^nerer Jadiie 
ciayxl^e vateur intsrmediaire (1;') avec m bits. 

S. Proced<§ sefon la revendication 4, CARACTE^ISE 
EM QUE ladite deuxieme etape ds fpiirnitiire et 
ladite etape de production comprenAent : 

foufniture de iad^te deuj^ii^me valeur Jntermi- 
diaif e de m bits {T} ^ une troisifeme fanction aJ^a- 
toire{9)af}nc!e fXQdulreur^etrojsl^rtievafeuf de 

n -m Uis et 

i'exf^cfUtJon d'un ou exciusif (240) sur ladstetroi- 
si^me valeyf de n-m bxis et ladite pr emiere va- 
ieyr jntermed laire de n-m bits (R) afirt de gen^r e r 

une premiere pariie de n-m bjts (V) de. Jadite 
deuxieme valaur de cle (cle 2). 

6v Precede seto la revendjcalion 5, CARACTERgS^ 
PAR: 

ia faurrtjtifre de l^dfte deuxies'rje valeur intertne- 

d^aire de m bits (T) en tant que deuxieme partie 
de frs bits de fadite de lixien^e yaieur de de (ele '^^^ 

2) ayantn bits, 

7. Proc^d^ selon la revsndfea^n 2, CARACTHRISH 
PAR Ies6tapesde : 

45 

t0utnmm de iadite deuxieme par? ie (T) de tadlJe 
deuxteme va^eiir de cie (de 2) a iadftetroisierne 
fonctbn al^atQire (g) afin de prodolre ladite trpi- 

siefne vateur ; et 

Sen^ration de iadjte premiere valeur interme- ^ 
dime (R) en soLimettant une premiere partie {V} 
de ladite de uxieme vaieuf de cie (el 6 2) a un ou 
exdiusif (260) ^veb ladite trQisJ^ma vaiay?". 

a, Froc#d§ sekxi ia revendjcation 7. OAflACTERiSE 5S 
rutjlisatEdh de ladite deuxieme fonction aJeatoire 



(fj) af In de g^ha w ladste deuxi^rrfe vajeur ^ par- 
Xk de ladite premsifefe valeur mtermidiaire (R) ; et 
Japmduction d' aumohis une part^e de ^adite pm- 
mlem an soumettant ladite deuxjeme vateur 
un ou exclusif (200) avee ladite de^^jxienrie par- 
tie (T) de iadrte deuxieme vateur de cie (cle 2), 

:9« Systems de conversbn de G?es pour convertlr une 
premieife vaieur de cle (de 1) d'un premier syst§me 
de c-ommunicaticns en une deuxieme vateur de cl6 
{ele 2) d'un deuxieme systdme de GQmmun^catlpns, 
ledit syst^me 4tmt CARACTEBt^ FAR : 

des circuits detraitsmentadapt^spGurgenerer 
une pfemiere valeur mterm^diaim (R) a partir 
d'aumolns une partlede ladite pfemito valeur 
de cle (cJe 1 ) au moyen d'une premiere fonction 
al^atoire (f) atin de foumir au nrioins une partis 
de iadjte premiere valeur Ir^teTm^jaire <R) a One 
deuxieme fonction alsatoire (h) afin de produ^fs 
une deuxieme valeur, executar un ou exclusif 
(220) sur au molns una partie de Jadite premiere 
valour de cJe (cle 1) et au moins uf*e partie de 
ladite deuxJ^me: valeuf afin cfe Qi^fi^fer une 
deujcidme valeur interm^diaire (T), fournir au 
tm'ms une partie de iadite deuxieme vafeur m- 
termidiaire (T) a um trofsi^me valeur aieatoi re 
(g) afin de preduire une troisieme vsdeur et pro- 
duire au moins une premiere parX\Q de Jadite 
deuxieme vaJeLirdecle (cle 2) en soumettanlau 
mains une parSe de ladite trdisi^nle valeur k m 
ou exclusif (240) avec au nioins Uiie partie de 
fadJte premiere veJeur intermediajre (R). 

10. Systame seion la rsvendicatlon 9, CARACTEBISE 
EN CE QUE iesdfts circuits detraitementsont con- 
figures pour pfoduire au moins une partte de Jadite 
deuxierne valeur intermediaire (T) en Xmt qu'm 
mojns une deuxteme partte de ladile deuxi^rne va- 
Jeur de cle (cle 2). 



1 , Verfahren 7.um Umwandein eines ersten So^riussel- 
vvertes (Schliissel 1 ) fur m erstee Komm unikat bns- 
system in einen zwelteil Schiusseiwert {Schhissej S) 
eines zwettetn Teiekommunjkatlonssysfems, §«- 
k^snn^j^lcbrs^t duroh folgerxJe Sehritte; 

Erzeugsn sines ersten Zwischenwertes (H) aus 
mindestens elnem Teil des ersten Sch5u$ssl- 
weftee (Schiwssei i ) unter v^rwendung einer er- 
stert ZufstHsfunktlon (f); 

Sereitstellen mmdestens seines Teilsdes ersten 
Zwischerswertes (R) fuf Bine zweiteZufaWsiunk' 
t?on (h) sum Erzeugen eines zweiten Wertes; 
Durciifahrsn eift^r Bcklui^ven-OdeF-Funk^c^ 
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(220) m mihde&tens ^imm Teii Oes emm 
SchiOs$$lwertes (SchlO^el 1) und mrndes^iens 
eimm TeW des zweiten Wertas zum Erzsugen 
eines zwo iters Zvviscii0nvve?l0S (T); 
Bereitstslfen mindestens eines Te^Js dss zwei- 5 
ten ZvvisGheftwertes (T) fur eine drltte Zulaiis- 
f uriMbn (g> zurn Erzeugen eines c^ritten Wertes; 

Erzeugsn mindest^ns elnes ersten Teife des 
2vve)ten SehlOsseJwertss (SchlusseJ 2) dwoh 
Durchfunren siner ExkJusjven-Oder-FunktjQn 
(240) an rhindesiens ein em Tm\ des dritlen War- 
unci irnjridestehs sin^m Tell des erstenZwi- 

S< Verfahren mot] Anspruch t> gek«nF6s@30hri<gt 6. 
sSurch Erxeugen mjndsstenseinssTeiJsd^s zweiten 
ZwischenwQftes (Tj als mindsstsns em zwelter Tsil 
des zw6lten SchKVssefwttes (SchlOssel 2). 

3. Verfahren nach Arispmch 1, dadurcSi g^kenn- 

faBt 

BereltsteJlen des ersten Schliissetwertes ^ 
(Schlu$seJ 1) von m Bit zu einer ersten ^f^lte- 9, 
funK^jdn (f) 2um Erzeu gen des ersten Zwlscheh- 
wertes (R) von n-m Bft 

4 Verfahren hach Anspruch 3, d£6d«rcSi geke«rfc- 
:sL<sio^mti daB die sfsten ^cllil^ des Berelistellens 
(ifKi DUfCjhJiihrens folgendes umfa^ssen: 

tss (R) fQf eine weite ZtifaJIsfiinktioo (h) ziina ."JS 
Er^eiigen eines arwelten m-Slt-Wertes; md 
Ourchfuhfefi einer ExMusiven-OdeT-Fun^<ticin 
(220) an dem ersten m-Blt-v^hlusselwert 

(SchlusseM) und zweiten m-8it-VVert zum Br- 
zeugen des zvyeiten Zwischeovvertes (T) mi m 
Bit 

Veffahref? nach Anspruch 4> <la<SMrcSi g^ksj^irv 

uf:d der Schritt dss Er^eugens fofgandss umfaBt: ^ 

Bereitstellen des zwelten m -Bit-Zwischenwer- 
tes (t) fOr sine dritte 7!ufa|isftjnkllon (G) ztw Er- 

zeugen elnes dMen n-m-Blt-Wertes; imd 
Dijrchfuhren eifief Exkiusivsn-Oder-Funktion so 
(240) an dem dritten n-m-Bit-VVertund dem er- 
sten n-m^^it-Zwisq^senwert (B) zum Efzeugen 
etnea ef^en h-m-Sjt-ToHs (i^ des zWetteh 
Schliisseiweftes (Schiusser a). 

55 t o . 

Verfahren nach Anspfuc^r 5, gek®f?r5£^schf?®t 
dMrc^ BereitsteHen des zweiten rn-Slt-Zwischen- 
wertes (T) ais ein siweiter m-Bi^Teii des z»A?8f|ien 



$Gh?u?se}weftes (SchjusseJ 2) m\t n Bit. 

Vei^ahren nach AnspruGti 2, g^«nei^cshrfe«l 
durol^ foigende Schntte: 

BereitsleiJen des zweiten Tells (T) des zweiten 
BcfilQssalweftes (SchJOssel 2} fdr diedrme Zi^ 
fallstunktion (s) zwrn B^eugen des dritten Wer^ 

tes; und 

Erzeugen des ersten Zwischenwertes (R) 
dys's^i Untarziahen des ersten Tei^s (V) des 
2welten Schlusselwejles {Sch(Ussel 2) einer Ex- 
klusiventOder-Funktjon (260) mil dem dritten 
V*/eft. 

Verfahren nach Anspruch 7, vveitefhin gsks^sin- 

VerwendeTi der zweiten Zufallsfunktk)n (h) zum £r- 
zeugen des zweit^i Werte$ aus deni ersten Zwi- 

schenwer? (R): und 

Erzeugen mindestenseines 7"fijis des ersten Schlus- 
sels <j5irs2h Untsrzierien des zweiten Wertes einer 
feMuslven-pder-Funktlon (280) mil dem zweltsh 
Teii (T) des zwefteh SchHisselweftes (SchlQssel 2),: 

SchfOsselumwandfungssystem zum Umwandeln ei- 

nes ersten Schjussefwertes (SchlOsseJ 1)1ur ein ef- 
stes Ken*! munikationssystem in einen zweiten 
Schiusselwert (ScJ^i^JSsaf 2) eines zweiten KommU" 
nikatlonssystems. gskei^jnx^jchn^t cSurch fotgen- 
des: 

Bearbeitungsschaitungen zum Efzeugen eioes 
ersten Zwischenwertes (R) aus mindesteos ei- 
nem TeiJdes ersten Schiiisselwertes (Sehlussei 
1 \ unter Vem'sriduhg etner ersten Zuf aJIsf unkti- 
on (f) zur BereitBteilitng rritndestens efnes Teiis 
des ersten Zwischenwertes (R) fur eine zvwefte 
Zufallsf unktion(h) zum Erzeugen aines zweilen 
Wsrtes, zum Durchftihren einer Exkfwsl- 
ven-Ode^Funktion (220) an mindestens einem 
Tell des ersten SchJusselweftes (SchJussel I) 
und mliidestens einem Teil des zweiten Weftes 
zum Erzeugen etnes zweiien Zwischenwertes 
(T), mm Bereitsleliea mindestsns eines Teiis 
des zweiten Zwischenwertes.CDtur eine dritte 
ZufailsfunktiGn (g) zunr^ Erzeugen eines ^Men 
Wertes- L?nd tarn Erzeugen mindestens eines er^ 
stenTeils daszvvetten SchiOsseiwertas (SchiOs^- 
mi 2) di^rcl^ Unterziehen msndestens eines 
Teiis des dritten Wertes einer Exk^usi- 
ven-Oder-Funktlon (240) mlt mindestens einem 
Teii des ersten ^wsschenwerfes (B), 

System nach Ansprueh 9, dscSisrch iekerssiSisScS^^ 
n«t, da^die Vsrafbeitungsschailungen zum Erzeu- 
gen rrjindestens elnes Teils des zweiten ZwisGhen-^ 
weftss (T) afe mindestaris eih zweitisf Teii des zwei- 
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ten Schlassehfi/ertss (Sehlussel 2) konligiiriert si«d. 
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